COMMENTS

That has been fixed in Debian quite a while back

https://www.debian.org/security/2018/dsa-4110

I remember updating after seeing the Bugtraq posting.

This time El Reg is a bit late to the party, everyone has gone home already to sober up.

Additionally, the article is incorrect. Reading the POC exploit you need to have AUTH enabled. While you do not need to AUTH successfully, the server in question should be set to authenticate users. That somewhat limits the scope as "pure" mail relays would not be affected.

The bug was reported to the Exim maintainers on the 5th Febrary, then under an NDA to distros and cloud services. What has just happened is that Mel has released more (but not full) details. There's no public POC either.

There was a bit of a panic when one distro broke the embargo and the patch became public a few days early, on a Friday of all days in the week.

Re: There are alternatives...

Depends on your use case. If you need to do some serious conditional processing based on headers, postfix just doesn't deliver (sic). As an exim guy needing to do this in an existing postfix installation, I tried, believe me. I really did try. Swapping MTAs in a live environment is not for the faint-hearted.

Re: There are alternatives...

@teknopaul: Current recommendation

I'd start with Postfix if you've never managed a MTA before. Simple doesn't seem to be a possibility in this space, but Postfix is relatively easy to setup if you just want to receive and relay for local mailboxes and handle transactional email from local webapps. If your human users want IMAP/POP3 you probably want Dovecot also.

Re: There are alternatives...

Re: There are alternatives...

qmail, wow.. haven't come across that since 2001. I guess qmail's got at least one thing going for it, it's pretty stable (as in not many changes). Looking at Debian's changelog there seems to be half a dozen changes to the qmail package in the past 8 years.

Myself I switched from Sendmail to Postfix maybe in 2001 or maybe early 2002(last time I ran internal email for an employer at the time setup using mcafee and Sophos AV). I don't recall a specific driving factor though postfix is generally easier to configure for my use cases. I haven't really had a need to look at exim or others since. I don't have fancy setups though and mail volume is low.

@Mike Pellatt - Re: There are alternatives...

I do conditional post-processing on headers using Postfix as my MTA using entirely separate programs executed using the /etc/aliases mechanism. If I wanted to do selective processing pre queuing, I'd probably use the Postfix Milter interface for this. Better in my view to modularise what you need to do into different programs, but the usual stuff lots of other sites want including CLAM-AV and DKIM seems reasonably straightforward (compared to Sendmail) to integrate.